A new PHP for Windows remote code execution (RCE) flaw affects version 5.x and earlier versions, potentially impacting millions of servers worldwide.
Researchers at cybersecurity firm DEVCORE discovered a critical remote code execution (RCE) vulnerability, tracked as CVE-2024-4577, in the PHP programming language. An unauthenticated attacker can exploit the flaw to take full control of affected servers.
PHP is a popular open-source scripting language widely used for web development.
“While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system. This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.” reads the advisory published by DEVCORE.
The vulnerability CVE-2024-4577 was reported to the PHP development team by the Devcore researcher Orange Tsai on May 7, 2024. The developers released a version that address the issue on June 6, 2024.
The flaw resides in the Best-Fit feature of encoding conversion within the Windows operating system. An attacker can exploit the flaw to bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences. Consequently, arbitrary code can be executed on remote PHP servers through an argument injection attack, allowing attackers to take control of vulnerable servers.
Since the disclosure of the vulnerability and publicly availability of a PoC exploit code, multiple actors are attempting to exploit it, reported Shadowserver and GreyNoise researchers.
Shadowserver researchers observed multiple IPs testing PHP/PHP-CGI CVE-2024-4577 (Argument Injection Vulnerability) against its honeypot sensors starting on June 7th.
Greynoise researchers also reported malicious attempts of exploitation of the CVE-2024-4577.
“As of this writing, it has been verified that when the Windows is running in the following locales, an unauthorized attacker can directly execute arbitrary code on the remote server:
- Traditional Chinese (Code Page 950)
- Simplified Chinese (Code Page 936)
- Japanese (Code Page 932)
For Windows running in other locales such as English, Korean, and Western European, due to the wide range of PHP usage scenarios, it is currently not possible to completely enumerate and eliminate all potential exploitation scenarios.” continues the advisory. “Therefore, it is recommended that users conduct a comprehensive asset assessment, verify their usage scenarios, and update PHP to the latest version to ensure security.”
XAMPP Users are vulnerable due to a default configuration that exposes the PHP binary. Although XAMPP has not yet released an update for this vulnerability, DEVCORE provided instructions to mitigate the risk of attacks.
The experts recommend administrators of systems that cannot be upgraded and users of EoL versions, to apply a mod_rewrite rule to block attacks:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? – [F,L]
XAMPP users should find the ‘ScriptAlias’ directive in the Apache configuration file (C:/xampp/apache/conf/extra/httpd-xampp.conf) and comment it out.
“It is strongly recommended that all users upgrade to the latest PHP versions of 8.3.8, 8.2.20, and 8.1.29.” concludes the advisory. “However, since PHP CGI is an outdated and problematic architecture, it’s still recommended to evaluate the possibility of migrating to a more secure architecture such as Mod-PHP, FastCGI, or PHP-FPM.”
Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RCE)